Application Gateway uses WAF SKU
March 21, 2025 ยท View on GitHub
SYNOPSIS
Internet accessible Application Gateways should use protect endpoints with WAF.
DESCRIPTION
Application Gateway endpoints can optionally be configured with a Web Application Firewall (WAF) policy. When configured, every incoming request is filtered by the WAF policy.
To use a WAF policy, the Application Gateway must be deployed with a Web Application Firewall SKU.
RECOMMENDATION
Consider deploying Application Gateways with a WAF SKU to protect against common attacks.
EXAMPLES
Configure with Azure template
To deploy Application Gateways that pass this rule:
- Deploy an Application Gateway with the
WAForWAF_v2SKU.
For example:
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2020-11-01",
"name": "appGw-001",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"webApplicationFirewallConfiguration": {
"enabled": true,
"firewallMode": "Prevention",
"ruleSetType": "OWASP",
"ruleSetVersion": "3.2",
"disabledRuleGroups": [],
"requestBodyCheck": true,
"maxRequestBodySizeInKb": 128,
"fileUploadLimitInMb": 100
}
}
}
Configure with Bicep
To deploy Application Gateways that pass this rule:
- Deploy an Application Gateway with the
WAForWAF_v2SKU.
For example:
resource appGw 'Microsoft.Network/applicationGateways@2021-02-01' = {
name: 'appGw-001'
location: location
properties: {
sku: {
name: 'WAF_v2'
tier: 'WAF_v2'
}
webApplicationFirewallConfiguration: {
enabled: true
firewallMode: 'Prevention'
ruleSetType: 'OWASP'
ruleSetVersion: '3.2'
}
}
}
Configure with Azure CLI
az network application-gateway update --sku WAF_v2 -n '<name>' -g '<resource_group>'
Configure with Azure PowerShell
$AppGw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'
$AppGw = Set-AzApplicationGatewaySku -ApplicationGateway $AppGw -Name 'WAF_v2' -Tier 'WAF_v2'